How light can you go?

My Son needed a laptop for his study. It is a more or less a forced buy from his university, with a few options. So we decided to use the cheapest one.

Setup will be

Vista 32 bits 4 GB RAM (old DDR2), we will be using the non addressable RAM as RAM Drive for teh swap file

FireWall
No question, we will use the fastest two way firewall, low overhead FW available for Vista. Thanks to Stems post https://www.wilderssecurity.com/showthread.php?t=239750
(and a little help from Vista FW control free, to get the correct paths and executable names to manually allow)

Intrusion ProtectionUAC/Norton UAC
No Question again. We will use the fastest/lightest Intrusion detection available on Vista: UAC. To remember choices we have selected the freebie Norton UAC Tool, BYE BYE ROOTKITS

Windows Defender
Joined the advanced group, Deselected scheduled scans and the on-access scan. WD will still check doownloaded programs, but uses very very few CPU cycles now. Also the other Agents will still warn you when an intrusion occurs, BYE BYE SPYWARE.

Virtualisation/sandboxingChromium/Iron's Internal policy Sandbox
We downloaded the fastes lightweight browser, the completely desinfected version of Chrome: Iron of SRWARE. We used the mobile version, becasue it is easier to contain/further limit. Iron (chromium) has an internal sandbox.

The VISTA virtualisation trick with UAC!
Just to be sure we right clicked on task manager, clicked VIEW, selected Columns, choose Virtualisation (see pic). All Internet facing programs were forced to run virtualised (simular to run in protected mode like IE8 ). Also Foxit (PDF) Flash, etc set to this mode.

Software Restriction PoliciesPrettyGood Security
YES it is there, the great Pretty Good Security, just PM Sully when you want to beta test. Version 1028 running great. SRP Policy
a) All Internet facings programs run in LUA, except IRON
b) The user space (in our case D:\Data or the moved My Documents) has a DENY execution

EdgeGuard Solo
Runs OFFICE and IRON as limited. Advantage: With Edge Guard Solo IRON runs when SRP is on all executables (otherwise you have to exclude DLL's), downside EdgeGuard does not protect against Direct Disk access, but this is compensated with virtualisation.

AntiVirus/BlockerAvast Standard Shield
We used Avast free, only standard module [noparse](we have moved the e-mails of OutLook Express to D:\Data\Mail and contained them with Pretty Good Security 102[/noparse], so only the standard shield is enough). We only check on execute the old DOS and 16 bits Windows Programs, 32/64 bits and dll's are not checked.
We have deselected READ scanning, so only checking on Write of new or changed Executables. Normally Writing is to late, but AVast has its VRDB data base to fall back to a previous executable (un infected)

Avast Blocker.
We also use the old fahioned BLOCKER (see advanced options standard shield) to throw a warning when an executable is RENAMED. The funny thing this RENAME also prompts into action when an executable is MOVED!. This closes the gap from any malware being able to move its exectuable from the user space (where it can not execute), to the Admin/system space (where no SRP is in place). PERFECT!

Off-topic, really enjoy Iron, but find when the spell-checker identifies a word, when you right-click, it crashes.

Also with Windows Defender, once it alerts you of a possible change, how effective is WD in preventing the change? I liked how light it was, but found to 'undo' a system change it had alerted me to, it would report back something like 'change could not be made', or along those lines.

Off-topic, really enjoy Iron, but find when the spell-checker identifies a word, when you right-click, it crashes.

Also with Windows Defender, once it alerts you of a possible change, how effective is WD in preventing the change? I liked how light it was, but found to 'undo' a system change it had alerted me to, it would report back something like 'change could not be made', or along those lines.

Click to expand...

Well, on Vusta with UAC it is stronger than on XP. I agree that on 'heavy' malware it sometimes warns, but can not prevent system from shutting down. I have OSAM and Process Hacker when WD fails to un-do (look at history in WD).

It is much lighter when you disable the on execution scan of the real time agents

Did not know about the bug of Iron, alternativelu just download teh latest Chromium Portable and start incognito by default.

We ran some benchmarks and beat some other freeware setups, some marginal (e.g. the latest CIS, 17% more efficient on CPU and 7% more efficient on internet, this sounds a lot but with the low resource usage both have the absolute difference is fractional), some by far (e.g. Sandboxie).

Kees, I have a question. I can turn on virtualization for let's say Firefox (while it's running) but when I close it out and then activate it again virtualization is no longer enabled. So my question, how did you get it to remain enabled? Or did you have to enable it each time you activate an internet facing application?

The differing approaches by Kees1958 and Franklin go to show that there are multiple ways to achieve a secure system.Both of the set-ups mentioned would make malware infection extremely unlikely so it's just down to personal preference which method to employ.

Kees, I have a question. I can turn on virtualization for let's say Firefox (while it's running) but when I close it out and then activate it again virtualization is no longer enabled. So my question, how did you get it to remain enabled? Or did you have to enable it each time you activate an internet facing application?

Thanks.

Later...

BTW, I'm running Vista Ultimate.

Click to expand...

Trespasser,

I will have to ask my son. He is on a rugby tour right now, will be back next week. He created a user account which asks for admin password when an elevation request is required. I also know he plays with powershell scripts (I fear he gave me the simple version on how it works ).

He set up another account, editing the KLM\Software\Microsoft\Windows\CurrentVersion\Policies\System with regedit

"ConsentPromptBehaviorAdmin"
User Account Control: Behavior of the Elevation Prompt For Administrators in Admin Approval Mode
0 = run in quite mode (keep UAC on, but automaticallu elevate to Admin)1 = run UAC, when an elevation request occurs, your are asked to enter the admin password
2 = run UAC, prompts for confirmation to continue a task which requires admin rights (default)

"ConsentPromptBehaviorUser"
User Account Control: Behavior of the Elevation Prompt For Standard Users
0 = no pop-up, disallow/block when UAC is and running as limited user account1 = allows you to take over the credentials of the admin by entering account and password

Ha your are wrong about the number of processes as a benchmark for efficiency. Tip: Use a better performance monitor than taskmanager, Total CPU time, CPU spike variances and I/O overhead are far more important than number of processes.

You are right about Returnil, it is an effective solution to freeze the setup of a PC running admin.

Wondering how you were able to delete OS-related security features of Windows and still have a PC that boots by the way

.... he has some sort of specialized blocker [1]for file renaming or other such thing.

Sul.

Click to expand...

Ad 1 see pic, it is an old feature of Avast, a little useless nowaday, but in combination with Pretty Good Security a nice counter measure to prevent moving an executable from user space (where SRP rules) to the admin/system space.

vLite for a base thinning then delete the feck out of it after install.

All I can say is that if anyone thinks they need UAC then they probably do.

Limited user account - bah.

After desktop comes up after a fresh install get Vista to show the full blown admin account at reboot and select it then delete the account you are forced to create at install.

No more right clicking cmd and selecting "Run as Administrator" as it starts in admin mode.

But if you want to use your system like having to crack a safe and a lack of confidence then that's your choice.

Click to expand...

For years, people have been complaining about the insecurity of Windows systems. When Microsoft finally does something about it, what do they do? They (users) don't give a damn. The most sad thing, is that, advanced users advice casual users not to run UAC because is annoying. I have a different opinion, so has my family running a limited user account and software restriction policies, which in terms of limiting, it only limits changes to important system parts, so it won't limit, for example, an e-mail client from getting e-mail messages, a web browser from browsing the web, etc.

Now, I'm not saying that you don't feel comfortable running in full administrator account.
If you got the knowledge to be using an admin. account or have the time to check what's happening in the system, then go ahead. But, that's no reason to say/advice to others to do the same.

Would you feel safer if I tell you to stop taking your shots, just because it won't prevent you from dying? Its a waste of time, a waste of holes in your skin, a waste of money (if you pay for your shots). Bottom line, you live for your shots, believing they will save your life. What for? What's the point?

Why live in fear?

What if I tell you I don't take any shots... Am I the one not having lack of confidence...? This would be living in full admin. control, right?